LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS
In this example, you must verify the fingerprint for the key before adding it to the directory server.
A alternative way to change a remote key is to securely obtain the public key file for the remote
host and upload it using the file option as shown in the first example of Section 8.3.2 (page 266),
but without specifying the -a option.
8.3.8 Revoking or removing keys
If a key has been compromised, and you want to revoke it and reissue a new key, use the previously
described process for changing keys. If, on the other hand, you no longer want to manage keys
for a host, you can simply remove the sshPublicKey attribute from the host’s entry using the -k
option with the ! flag, as in the following example:
baker (): ldaphostmgr -k !all router1.mydomain.example.com
bind-dn [uid=domadmin,ou=People,dc=mydomain,dc=example,dc=com]:
Password:
baker (): ldaphostlist -n router1.mydomain.example.com sshPublicKey
dn: cn=router1.mydomain.example.com,ou=Hosts,dc=mydomain,dc=example,dc=com
cn: router1.mydomain.example.com
ipHostNumber: 192.0.32.1
The ldaphostlist command shows that the sshPublicKey has been removed from the router1
entry.
If you only want to remove a specific type, you can replace all with the key type (rsa, rsa1, or
dsa).
NOTE: If you are using the UpdateKeyFromLdap option in the ssh_config file, use of the
! flag does not remove cached instances of those keys. If a client has a cached version of a
compromised key, it is possible for that client to connect to an impostor host that is using the
compromised host key. If you want to remove keys or revoke keys for hosts, you must not enable
the UpdateKeysFromLdap option because when it is enabled, the ssh client tools will update
cached versions of changed keys, but only when a connection is made to the true host.
8.4 Managing key age
LDAP-UX B.05.00 provides the ability to track ssh key age and set advisory expiration dates for
ssh host keys. By default, ldaphostmgr adds key age information to the comment fields within
the ssh public key data when new keys are added or changed in the directory server. ldaphostmgr
can also use this same field to set advisory key expiration dates when new keys are created or
existing keys are changed.
Key age expiration information appears within the comment fields and between the BEGIN-KM
and END-KM tokens. For example:
brewer(): ldaphostlist -k -n "$(hostname)"
dn: cn=brewer,ou=Hosts,dc=mydomain,dc=example,dc=com
cn: brewer
cn: brewer.mydomain.example.com
ipHostNumber: 16.92.96.225
sshPublicKey: ssh-rsa AAAA...== BEGIN-KM creationtime=20100423234903Z END-KM
ldaphostmgr and ldaphostlist can be used to keep track of key age and expiration
information, which is described in the following sections.
NOTE: Key expiration data is merely advisory. It is provided to enable the ldaphostlist tool
to display hosts with keys that are considered expired. HP Secure Shell tools do not reject or take
other actions when a key’s state is considered expired.
8.4.1 Setting advisory key expiration dates
To set key expiration information, use the -e option on ldaphostmgr, and specify the number
of days (from the current date) when the key is considered expired. The following example shows
8.4 Managing key age 271